" hipaa compliance Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘hipaa compliance’

How to Evaluate any New Software or Service for HIPAA Compliance

Friday, August 9th, 2019

If your organization operates in the health sector or processes data for clients that are, then it will need to deal with all ePHI in a HIPAA-compliant manner. This means that HIPAA-compliant software and services are required whenever and wherever protected health information is dealt with.

HIPAA regulations limit the range of services that a company can use. Due to the complexity of the laws, it’s important to evaluate any potential service in a thorough manner to ensure that it is in fact HIPAA compliant. To make the process a little less daunting, we’ve collected a list of steps that make it easier to discern whether a provider can protect your organization’s data appropriately:

Does the Provider Say That the Service Is HIPAA Compliant?

This is the easiest and perhaps most obvious step. Organizations that provide HIPAA-compliant services generally advertise it quite prominently. If they are putting in the extra work to keep their clients secure and within the regulations, then the odds are that they are going to tell potential customers about it.

If you visit the company’s website (or talk to a sales rep) and don’t come across any information about HIPAA compliance, then it’s pretty safe to assume that the software or service is not HIPAA Compliant. If you want to make sure that you didn’t overlook anything, you can do a site search of the company’s website, looking for “HIPAA Compliant” and related keywords.

If you don’t find any results, it’s probably best to move on to other providers. If a company was actually HIPAA Compliant but didn’t make the information clear, it raises some serious questions about the company’s practices and strategies. Given the importance of HIPAA Compliance, it’s probably best to move on to another provider.

Let’s not get ahead of ourselves and assume that we can trust a company just because it says it’s HIPAA Compliant. This is simply the first step of the evaluation process and it helps to rule out a large number of providers. Once your organization has narrowed down the list, it still needs to analyze other aspects of the service and the company behind it.

Is the Service Provider Willing to Sign a Business Associate Agreement?

The next step is to determine whether the provider is willing to sign a business associate agreement (BAA) with your organization. If the service provider will be processing your company’s ePHI, but won’t sign a BAA with it, then any data sharing will not be HIPAA Compliant.

According to HIPAA, a BAA is required for any third party that may process your organization’s ePHI. This agreement stipulates how the data will be protected and processed, as well as where the responsibilities are delineated.

Let’s say a hypothetical organization did actually secure the data in a HIPAA-compliant manner without having signed the agreement – this would still violate the regulations, because there is no written agreement that ensures the protection of the patient data.

Look at the Company’s Reputation and Reviews

Trust is critical when it comes to HIPAA compliance. While you can’t look into the future and see how your organization’s experience with a service will play out, you can get a rough idea by looking at the company’s reputation, as well as any public reviews that may have been posted.

If a service provider has been in the industry for a long time, it’s generally a good sign. But be wary if the organization is branching out into a new service. A company could be industry-renowned for its HIPAA-compliant email, but if it have just launched a new chat service, it may not necessarily be up to the same standards. While new services aren’t necessarily bad by default, it’s probably best to do additional research before signing up to be a guinea pig.

Another key indicator is the service provider’s reviews. Do you know anyone personally or that you trust who has used the service? What did they say? Did their experience show that the company was committed to security and HIPAA compliance?

You can also look to online reviews and industry forums to find more information and stories from service providers. It’s important to not throw all of your trust into what someone says on the internet, but if you come across negative experience after negative experience, it may be a decent warning sign to steer clear. Watch out for digital marketing though – some companies are especially cunning and post ads that look like honest forum posts or reviews.

Investigate the Details

The steps listed above are a good way to narrow things down, but they are no substitute for a thorough evaluation. It’s your organization’s responsibility to make sure that a potential service has every technical, administrative, and operational measure that it needs to stay within the lines of HIPAA.

While a service provider will be responsible for compliance in a number of areas (if a BAA is in place), your organization is not at all free of obligations. It needs to make sure that it is encrypting data where necessary, that it implements effective access control, and has a host of other measures in place. It also needs an overarching policy that brings all of the elements together in a comprehensive plan.

Any HIPAA-compliant provider should be more than happy to share the technical, privacy, and legal details with a potential client. If not, your organization should be extremely suspicious of its services. If your organization lacks the expertise to thoroughly evaluate a provider, then it may be best to engage an outside consultant who can handle it for you.

HIPAA compliance is serious and complex. It’s important to get it right from the start, through careful examination and planning. If your organization doesn’t tread carefully from the beginning, it could very well find itself on the wrong side of the regulations, facing significant legal penalties.

Do Healthcare Marketing Emails Have to Be HIPAA-Compliant?

Friday, July 26th, 2019

Healthcare is a competitive business, and those in the industry are facing increasing pressure to maintain their standing against their rivals. One of the key tactics for keeping up involves having a carefully planned marketing strategy.

While there are a range of different approaches that companies can take, sending out marketing emails proves popular, because many organizations have substantial email lists of their clients.

This practice can have a range of business advantages, but the more cautious in the sector may be wondering “Do healthcare marketing emails have to be HIPAA-compliant?”

It’s an important question to ask, and one that’s not exactly clear-cut, because the answer is dependent on the context.

Does the Email Contain Protected Health Information?

Information is protected by HIPAA regulations if it contains “protected health information” that is “individually identifiable.”  The term “protected health information” refers to any data that relates to a person’s health, treatment or payment information, whether it is in the past, present, or future.

Under this definition, things like the results of a test, a prescription, an appointment notice, or a receipt for healthcare services are just a few of the many things considered “protected health information.”

Is the Information Individually Identifiable?

If information is individually identifiable, it can somehow be linked back to the individual. There are a long list of identifiers, such as names, addresses, birthdays, contact details, insurance details, biometrics, and many more are considered possible identifiers under HIPAA.  The final entry in the official list of possible identifiers is “Any other characteristic that could uniquely identify the individual”, so this concept is really is all-encompassing.

Does the Marketing Email Tick Both Boxes?

If it does, then the email needs to be sent in a HIPAA-compliant manner. If it doesn’t your organization may be safe. But before you rush into sending off your emails, you need to be careful, because the edges of HIPAA can be blurred, and it’s best to stay on the safe side.

Let’s give you an example. A clinic comes across a study that recommends new dietary supplementation for expectant mothers. It decides that it can use this information not just to help mothers-to-be, but also to bring in new business. The clinic then sends out an email to all of its expectant mothers with details from the new study, asking them to make an appointment if they have any further questions.

Everything should be above board, right? Well, maybe not. Because the email was only sent to expectant mothers, it infers that everyone in the group is an expectant mother, which means that it could be considered protected health information. Since it was also addressed to each of their email addresses, it also contains individually identifiable information.

With both of these characteristics in place, it’s easy to see how this kind of email could potentially fall foul of HIPAA regulations. If the email had been sent to every member of the clinic, then it might not be viewed as violating HIPAA, because such an approach wouldn’t single out the women who were pregnat (though it might single you out as a former patient of that clinic and, depending on what the clinic is, that could also imply things about your past/present/future medical treatments). While this kind of situation sounds rare, it’s important to appreciate that it can and does occur, so that your organization is more cautious and doesn’t unwittingly end up with a HIPAA violation.

Even if most of your organization’s emails never tick both of these boxes, it may be best to send them in a HIPAA-compliant manner anyway. This is because a slight, unintentional change to your organization’s approach could lead to the inclusion of ePHI, leading your company to a HIPAA violation.

When you consider the high penalties of these violations in comparison to the insignificant costs of sending HIPAA-compliant messages, making sure that all of its emails are sent in compliance with the regulations ends up being a pretty cheap insurance policy.

How Can You Make Healthcare Marketing Emails HIPAA-Compliant?

If your organization sends out marketing emails that could contain ePHI, then it’s important to make sure that they are sent in a HIPAA-compliant manner. The best approach is to use a HIPAA-compliant bulk email service, such as LuxSci’s High Volume Secure Email Sending.

Your organization will need to sign a HIPAA Business Associate Agreement with the service provider and use the appropriate encryption, access control and other security mechanisms that are needed to protect ePHI.

Using a service with opt-out encryption (as opposed to one with risky opt-in encryption, requiring you to actively specify which messages need encryption) limits the risks of user error, which means that your organization is more free to send out its marketing emails, without such a significant threat of accidentally violating HIPAA regulations.

What is Willful Neglect Under HIPAA?

Thursday, March 7th, 2019

HIPAA, the Health Insurance Portability and Accountability Act of 1996, spells out rules and regulations for the privacy and protection of individually identifiable health information. The HIPAA Privacy Rule and the HIPAA Security Rule establish standards related to the implementation of physical, administrative, and technical safeguards to ensure that PHI or Protected Health Information is handled with the utmost confidentiality and integrity.

The failure to adhere to the regulations established under HIPAA can lead to criminal and civil penalties, followed by progressive disciplinary actions. These penalties apply to to healthcare entities, as well as individuals.

The reckless or intentional failure to comply with the rules set forward under HIPAA is what is referred to as “Willful Neglect.”  Violations, as a result of willful neglect, can carry severe penalties, civil or criminal depending on the exact facts of the case.

what is willful neglect HIPAA

Case in point

In early 2011, the HHS (The Department of Health and Human Services) levied a fine of $4.3 million on an entity named Cignet Health Center for willful neglect. What’s unique about this case is that the entity was not fined for breach of privacy.

Read the rest of this post »

What You Need To Know About the HIPAA Security Rule

Thursday, January 10th, 2019

In this day and age of rampant cybercrime, protecting a patient’s electronic health information is of the utmost importance. But, how do you know if the protections are adequate? Well, that’s where the HIPAA Security Rule comes in.

What is the difference between the privacy and security of health information?

With respect to health information, privacy is defined as the right of an individual to keep his/her individual health information from being disclosed. This is typically achieved through policy and procedure. Privacy encompasses controlling who is authorized to access patient information; and under what conditions patient information may be accessed, used and/or disclosed to a third party. The HIPAA privacy Rule applies to all protected health information.

Security is defined as the mechanism in place to protect the privacy of health information. This includes the ability to control access to patient information, as well as to safeguard patient information from unauthorized disclosure, alteration, loss or destruction. Security is typically accomplished through operational and technical controls within a covered entity. Since so much PHI is now stored and/or transmitted by computer systems, the HIPAA Security Rule was created to specifically address electronic protected health information

Now, the HIPAA Security Rule isn’t extensive regarding the regulatory text. However, it is quite technical. It is the codification of specific information and technological best practices and standards.

The HIPAA Security Rule mainly requires the implementation of three key safeguards, that is, technical, physical, and administrative. Other than that, it demands certain organizational requirements and the documentation of processes, as it is with the HIPAA Privacy Rule.

HIPAA Security Rules

Developing the necessary documentation for the HIPAA Security Rule can be complex, compared to the requirements of the HIPAA Privacy Rule. Healthcare providers, especially smaller ones, need to be given access to HIT (Health Information Technology) resources for this purpose.

Having said that, the HIPAA Security Rule is designed to be flexible, which means covering all the required aspects of security shouldn’t be tough. There is no need for leveraging specific procedures or technologies. Organizations are allowed to determine the kind of resources necessary for ensuring compliance.

Read the rest of this post »

Case Study: Securely Email Medical Laboratory Results to Patients

Thursday, February 1st, 2018

We count many medical laboratories among our customers.  They process lab tests for doctors and send the results to the patients via email.

Medical laboratories, while sometimes not HIPAA covered entities themselves, are Business Associates with Hospitals and doctors who are required to abide by HIPAA.  By the “transitive” nature of the HIPAA privacy laws, such Business Associates must take pains to abide by HIPAA security and privacy standards, protecting patient data, and ensuring confidentiality.

Medical labs use large scale secure email sending

In order to send patients their results via email, these labs must use a HIPAA-complaint system that can send email to anyone with an email address.

This post describes how one large medical lab uses LuxSci’s SecureLine to safely deliver lab results to 1000s people every day.

Read the rest of this post »

LUXSCI